From Sept. 1, 2013 until Sept. 16, 2015, hackers were pilfering T-Mobile USA's customer information, and no one knew about it—until yesterday.
Approximately 15 million T-Mobile USA customers and applicants are at risk because of a data breach at Experian, which handles customer information on T-Mobile USA postpaid and device financing services. Experian claims that on Sept. 15 it discovered that an unauthorized party somehow had accessed an Experian server containing T-Mobile customer data, though no public announcement was made until Oct. 1.
According to Experian, the breach data includes customer names, addresses, Social Security numbers and dates of birth. Experian claims that banking and payment card information was not stolen.
Although Experian had encrypted all of its data, that's not going to limit the risk.
"Experian has determined that this encryption may have been compromised," T-Mobile CEO John Legere wrote in an open letter to customers.
Neither T-Mobile nor Experian are reporting that they have any evidence at this point that the customer data has been misused. That said, Experian is now offering affected T-Mobile customers free credit monitoring, just in case.
"Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected," Legere wrote. "I take our customer and prospective customer privacy VERY seriously. This is no small issue for us."
Experian is no stranger to data theft. In July, Experian was hit with a class-action lawsuit that alleged the company enabled an identity thief to access data. On July 14, the U.S. Department of Justice sentenced identity thief Hieu Minh Ngo to 13 years in prison for his role in the data theft, in which information on 200 million U.S. citizens was accessed.
Experian has also suffered from a significant volume of data breaches, according to Jake Kouns, chief information security officer of Risk Based Security.
"Prior to this latest issue, we have tracked 103 previous data breaches at Experian, making them the most breached company of all time," Kouns told eWEEK. "It is very unfortunate that the company many consumers trust to monitor their most personal information still does not have a proper information security program in place."
Bobby Kuzma, systems engineer at Core Security, told eWEEK that for the T-Mobile breach, Experian appears to be following its own recommendations, outlined in a Data Breach Response Guide for what to do in the case of a data breach.
"I'm not surprised by how long the attackers were in Experian's systems. These multiple-year breaches are sadly still the norm." Kuzma told eWEEK. "I don't believe this breach is going to substantially increase the threats of identity theft, but that isn't saying much, since despite our best efforts, it still remains trivially easy to steal identities."
Multiple security experts contacted by eWEEK were shocked by the fact that data that was supposedly encrypted by Experian is at risk, since it was somehow decrypted.
"It blows my mind not that attackers got to the data—but that they can decrypt it," JP Bourget, CEO and founder of Syncurity, told eWEEK. "The big thing Experian has done wrong is not implement encryption correctly. This is inexcusable."
Confidential and personal data that is exchanged between business partners needs to be handled with hyper-secure methods, added Craig Lurey, CTO and co-founder of Keeper Security.
"If data is leaked, the hackers should not have been able to decrypt it—if the method of encryption used was strong and implemented correctly," Lurey told eWEEK.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.